I want to give an access to a dir for a friend. He has the access to the file system, where the dir is located. I don't want to set the permissions to all users. How can I allow only a person to see the dir? None of us is a superuser.

11 Answers
11

With just normal UNIX permissions (user, group, everyone), you can't do this easily. If you don't need access to the directory anymore, you can possibly change the owner of the directory to your friend, which is valid on some Unices, but most of them it is not.

However - if you have ACLs enabled on Linux, you can do this if you are the owner of the file. Just run the command setfacl -m user:friend:rwx filename where friend is the account name of your friend and filename is the file. You can check that it went into effect by running getfacl filename, you should see the triad user:friend:rwx in the list. I haven't seen too many Linux systems which have the ACLs enabled though.

This is something we had discussed back in school.
Goes roughly like this,

Create a directory (named data, for reference here)

change permissions as "chmod 711 data"

group and others have only x -- access to enter the directory

they cannot list the directory

Now, create a directory difficult-name-here (this could be a hashed-string)

change permissions as "chmod a+rx difficult-name-here"

contents of this directory are secure while the outer directory cannot be listed

people who know the "difficult name" can jump into this second directory

"cd path/to/data/difficult-name-here"

others cannot see the name and cannot access directory contents

However, the root can always access everything (which is not a problem here)

share the difficult-name-here with the people you want to give this data

Keep shared files in this second directory

Quite crude, but if this can be broken without the unix access control breakage, I'd like to know.

Update on comment from dmckee,
This is exactly the conclusion we reached!"security by obscurity" has limited safety.

Having said that, when designing protection for data,
it is important to identify its value.

You should target for,

A Cost of breaking-the-security that is higher than,

The Cost of secured content,

By a factor proportional to your paranoia

In this case, if the root decides to enumerate the directory tree somewhere
in public access,
your secret is out! But, are you protecting from the root or their potential irresponsibility?If that is the case, you have a lot more to worry about then shared files.

Update about not-working note in the question.
I've used this in early days of linux to know that it works.
If you get 'cannot access non-existant file' instead of 'permissions denied' you have very likely made a mistake in the sequence. What you want should look like this,

Ryan was actually 100% correct, just backward. Since your friend (likely) has a unique group associated with his/her user name change the group ownership of the directory in question to that group, most likely the friend's user name. In order to be able to share the contents between the two of you you should retain ownership as the user:

chown -R youruser:friendgroup ~/foo/bar

Then assign appropriate permissions to the directory, dependent upon what access you wish the other user to have:

chmod -R 770 ~/foo/bar

would grant both of you full rwx access to the directory and its entire contents.

Please note that this assumes that no other user has been added to your friend's group. The system would not have likely have made this assignment, however, as was mentioned before, the root user may do what they choose. You may use the groups command to see each group to which your friend, or arbitrary user, belong. Additionally, unless the permissions have been changed for some reason, you should be able to view the /etc/group file which contains the group assignments for each group on the system.

This may require superuser privledges that he doesn't have.
–
KeckSep 3 '09 at 13:57

1

Oh, I completely missed that line :x Then I'm at a loss. Guess I'd just go with sending it over mail locally -- not the best solution but at least the file gets across to the other guy.
–
gaqziSep 3 '09 at 14:07

By default, each user on an Ubuntu system also has an associated group of the same name. So if you can add your friend to your group and then mark the folder in question as g+rwx, you'll be set. I vaguely remember this use case being cited as the reason to create a group for each user.

haven't tried this, but how about a public readable directory with an encrypted user-space FS inside (for example encfs). Then you can share that password with your friend and no one else can make use of that data (well, I guess they could get the data and run a password cracker offline?).

To give Linux the same Finesse as windows in file privileges you have to nest groups. Create one group that has access to your folder as you would like your friend to have. Add him to that group or the group he resides in to that group. For example

/foo is the folder you want to share.
Create a group FooGroup that has the desired access to the folder.
Add groups and users to this group which you want to have said access to this folder.

It is a big pain to have a group for each folder or file but it is the best way to restrict access at the same level as Windows.